× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fbe734637d472e38d4fa0e3f270daac4e54d9ff63ddf286672c7125419e9613e
File name: 393363
Detection ratio: 7 / 58
Analysis date: 2016-03-27 00:22:31 UTC ( 3 years, 1 month ago ) View latest
Antivirus Result Update
DrWeb Program.Unwanted.970 20160327
ESET-NOD32 Win32/MyPCBackup.A potentially unwanted 20160326
McAfee Artemis!3D67350FC974 20160327
McAfee-GW-Edition Artemis 20160327
NANO-Antivirus Riskware.Win32.Unwanted.dyxdti 20160326
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160326
Zillya Trojan.Black.Win32.41412 20160326
Ad-Aware 20160326
AegisLab 20160326
Yandex 20160316
AhnLab-V3 20160326
Alibaba 20160323
ALYac 20160326
Antiy-AVL 20160326
Arcabit 20160326
Avast 20160327
AVG 20160327
Avira (no cloud) 20160326
AVware 20160327
Baidu 20160325
Baidu-International 20160326
BitDefender 20160327
Bkav 20160326
ByteHero 20160327
CAT-QuickHeal 20160326
ClamAV 20160326
CMC 20160322
Comodo 20160326
Cyren 20160327
Emsisoft 20160327
F-Prot 20160327
F-Secure 20160326
Fortinet 20160327
GData 20160327
Ikarus 20160326
Jiangmin 20160327
K7AntiVirus 20160326
K7GW 20160323
Kaspersky 20160327
Kingsoft 20160327
Malwarebytes 20160326
Microsoft 20160326
eScan 20160326
nProtect 20160325
Panda 20160326
Qihoo-360 20160327
Sophos AV 20160326
SUPERAntiSpyware 20160326
Symantec 20160326
Tencent 20160327
TheHacker 20160325
TotalDefense 20160326
TrendMicro 20160326
TrendMicro-HouseCall 20160326
VBA32 20160326
VIPRE 20160326
ViRobot 20160326
Zoner 20160326
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © Remo Software, All rights reserved.

Product Remo Recover
File version 4.0.0.34
Description Remo Recover 4.0 Setup
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 12:17 PM 10/29/2013
Signers
[+] Remo Software
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 01/17/2011
Valid to 11:59 PM 01/16/2014
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 52046AD23041DA04291669C389F5445B3439A039
Serial number 00 A3 15 21 59 5B E4 43 AD 7C C9 30 DA B8 68 D5 16
[+] Sectigo (UTN Object)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 06:31 PM 07/09/1999
Valid to 06:40 PM 07/09/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbprint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 05/10/2010
Valid to 11:59 PM 05/10/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] Sectigo (UTN Object)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 06:31 PM 07/09/1999
Valid to 06:40 PM 07/09/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT INNO, NSIS, appended, Aspack, Unicode
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x0000A5F8
Number of sections 8
PE sections
Overlays
MD5 02cbde6b6b229dce04948efa169cd482
File type data
Offset 508928
Size 18318400
Entropy 8.00
PE imports
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegQueryValueExA
AdjustTokenPrivileges
RegOpenKeyExA
InitCommonControls
GetSystemTime
GetLastError
GetEnvironmentVariableA
GetStdHandle
EnterCriticalSection
GetUserDefaultLangID
GetSystemInfo
GetFileAttributesA
GetExitCodeProcess
ExitProcess
CreateDirectoryA
VirtualProtect
GetVersionExA
RemoveDirectoryA
RtlUnwind
LoadLibraryA
DeleteCriticalSection
GetCurrentProcess
SizeofResource
GetLocaleInfoA
LocalAlloc
LockResource
IsDBCSLeadByte
DeleteFileA
GetWindowsDirectoryA
GetSystemDefaultLCID
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
FormatMessageA
SetFilePointer
RaiseException
WideCharToMultiByte
GetModuleHandleA
ReadFile
InterlockedExchange
WriteFile
CloseHandle
GetACP
GetFullPathNameA
LocalFree
CreateProcessA
GetModuleFileNameA
InitializeCriticalSection
LoadResource
VirtualQuery
VirtualFree
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
FindResourceA
VirtualAlloc
GetFileSize
SetLastError
LeaveCriticalSection
SysStringLen
SysAllocStringLen
VariantCopyInd
VariantClear
VariantChangeTypeEx
CharPrevA
CreateWindowExA
LoadStringA
DispatchMessageA
CallWindowProcA
MessageBoxA
PeekMessageA
SetWindowLongA
MsgWaitForMultipleObjects
TranslateMessage
ExitWindowsEx
DestroyWindow
Number of PE resources by type
RT_ICON 12
RT_STRING 6
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 15
NEUTRAL 7
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
This installation was built with Inno Setup.

InitializedDataSize
467456

ImageVersion
6.0

ProductName
Remo Recover

FileVersionNumber
4.0.0.34

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

CharacterSet
Unicode

LinkerVersion
2.25

FileTypeExtension
exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
4.0.0.34

TimeStamp
1992:06:19 22:22:17+00:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
4.0.0.34

FileDescription
Remo Recover 4.0 Setup

OSVersion
1.0

FileOS
Win32

LegalCopyright
Copyright Remo Software, All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Remo Software

CodeSize
40448

FileSubtype
0

ProductVersionNumber
4.0.0.34

EntryPoint
0xa5f8

ObjectFileType
Executable application

File identification
MD5 3d67350fc974f797878452ea5ebe0bc7
SHA1 d8b1da68b94f97769ad7a0d68bdf11f0ac63bc30
SHA256 fbe734637d472e38d4fa0e3f270daac4e54d9ff63ddf286672c7125419e9613e
ssdeep
393216:bVixIxabNHSBrHMOlENrUemzCpsrBeGtSg2d1044Rj4EJ4GaZ90outt:5a0WJSBAT2zCpHGtSg+0pRxJ4M

authentihash 13fcd4b945b06dfa1429f26b334f676f507784a087294dcbf689c405aa4f76ae
imphash 884310b1928934402ea6fec1dbd3cf5e
File size 18.0 MB ( 18827328 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Inno Setup installer (89.6%)
Win32 Executable (generic) (3.6%)
Win16/32 Executable Delphi generic (1.6%)
OS/2 Executable (generic) (1.6%)
Generic Win/DOS Executable (1.6%)
Tags
nsis peexe aspack signed overlay

VirusTotal metadata
First submission 2013-11-06 22:23:45 UTC ( 5 years, 6 months ago )
Last submission 2018-05-24 02:24:16 UTC ( 12 months ago )
File names d8b1da68b94f97769ad7a0d68bdf11f0ac63bc30
rs-recover-pd0.exe
DB5aYuvXD.tar.gz
393363
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspici.2955E6B8.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.